Data Processor Terms for Consultants
Last Updated: January 24, 2020
In these Terms, the following terms shall have the following meanings:
- "controller", "processor", "data subject", "personal data" or "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law, as defined below;
- "Applicable Data Protection Law" shall mean all applicable data privacy, data protection, and cybersecurity laws, rules and regulations to which the parties are subject, including, but not be limited to, the California Consumer Privacy Act of 2018 ("CCPA") and the EU General Data Protection Regulation 2016/679 ("GDPR");
- "the Services", "Supercell", "the Consultant", shall have the meanings set out in the Consulting Agreement (the "Agreement") between Supercell OY and the Consultant which incorporates these Terms. If and to the extent language in these Terms conflicts with the Agreement, these Terms shall control.
- Relationship of the parties: Supercell (the controller) appoints the Consultant as a processor to process personal data relating to its end users, which is processed in the course of providing the services (the "Supercell Data") for the purposes described in the Consulting Agreement (or as otherwise agreed in writing by the parties), but in any case solely for the benefit of Supercell and not the Consultant or a third party (the "Services"). Consultant will act as a "Service Provider" as the term is defined in the CCPA. Neither Consultant nor its subcontractors shall sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Supercell Data to any third party in a way that would constitute "selling" as the term is defined by the CCPA. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
- Duration and Survival: These Terms will become legally binding upon the effective date of the Agreement or upon the date that the Parties sign these Terms, if completed after the effective date of the Agreement. Consultant will process Supercell Data until the relationship terminates as specified in the Agreement. Consultant's obligations and Supercell's rights under these Terms will continue in effect so long as Consultant processes Supercell Data.
- Documented Instructions: Consultant and any subcontractors shall process Supercell Data solely for the purpose of and to the extent necessary to provide the Services to Supercell in accordance with the Agreement, these Terms, and Data Protection Laws. Consultant will, unless legally prohibited from doing so, inform Supercell in writing if it reasonably believes that there is a conflict between Supercell's instructions and applicable law or otherwise seeks to process Supercell Data in a manner that is inconsistent with Supercell's instructions.
- International transfers: the Consultant shall not transfer the Supercell Data (or allow the Supercell Data to be transferred) outside of the European Economic Area ("EEA") without Supercell's prior written consent, which, without prejudice to Supercell's right to refuse or prescribe any other conditions, shall be conditional upon the Consultant ensuring, and demonstrating to the reasonable satisfaction of Supercell, that the conditions under Applicable Data Protection Law are satisfied. For example, where appropriate, the Consultant may enter into standard data protection contractual clauses pursuant to Article 46(2)(c) of the GDPR, or can otherwise rely on active participation in the US-EU Privacy Shield program. If relying on the Privacy Shield, Consultant warrants that it will maintain its Privacy Shield certification during the term of the Agreement and will process the Supercell Data in accordance with the Privacy Shield principles. Consultant will provide written notification to Supercell before it withdraws from or otherwise no longer maintains a current certification to Privacy Shield, or if it can no longer meet its obligations under this Section.
- Confidentiality of processing: The Consultant shall (i) only process the Supercell Data itself, (ii) shall do so in the strictest confidence and in accordance with the confidentiality provisions in the Consulting Agreement and (iii) shall not authorise any other person to process the Supercell Data. Any person or Third Party authorized to process Supercell Data must contractually agree to maintain the confidentiality of such information or be under an appropriate statutory obligation of confidentiality.
- Security: The processor shall implement appropriate technical and organisational measures to protect the Supercell Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Supercell Data (a "Security Incident"). At a minimum, such measures shall include:
- Pseudonymisation of Supercell Data where appropriate, and encryption of Supercell Data in transit and at rest;
- The ability to ensure the ongoing confidentiality, integrity, availability of Consultant's processing and Supercell Data;
- The ability to restore the availability and access to Supercell Data in the event of a physical or technical incident;
- A process for regularly evaluating and testing the effectiveness of the Consultant's Information Security Program to ensure the security of Supercell Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
- to enable Supercell to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Supercell Data. In the event that any such request, correspondence, enquiry or complaint is made directly to the Consultant, the Consultant shall promptly inform Supercell providing full details of the same; and
- in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
- destroy or return to Supercell all Supercell Data in its possession or control; or
- allow an authorised representative of Supercell to have reasonable access to the systems and storage devices used by the Consultant in providing the Services for the purpose of destroying or returning all Supercell Data in the Consultant's possession or control.
This requirement shall not apply to the extent that the Consultant is required by applicable law to retain some or all of the Supercell Data.